In my Flutter web app, the credentials to access the Firebase backend are set in index.html and anyone who clicks "view source" can see them.
What's to stop someone from using that to spoof the client and get access to the Firestore database with their own code instead of the client that's meant to access it?
Asked
Active
Viewed 39 times
1
Eight Rice
- 816
- 7
- 24
1 Answers
1
You will always have to leave a way for users to access your database - and thus also giving them some way to locate your database. You should write secure firestore security rules to govern the usage of your database. Users will always be able to access your database through other means than your front end. After all, your front end is just a portal for displaying the data in a user-friendly way. By however adding security rules you can limit the usage of your database to how it is intended.
hallis
- 61
- 6
-
well, the way it is intended is to have a common truth between all instances of the client app. And all clients can modify that common truth based on the business logic. If someone uses their custom logic to modify the database, then they would kind of brake it. – Eight Rice Oct 21 '21 at 10:49
-
in that case, it sounds to me like you'd want to have a server function (or serverless like firebase function) which hosts the business logic. Then you deny users the ability to directly interact with the database. You do, however, grant them the ability to call your server function – hallis Oct 21 '21 at 10:57
-
1yeah, that's what I was considering now. There is the issue of latency though. If the client writes to Firestore directly it takes considerably less than the function, which opens the possibility of concurrency errors. The only rule I need to write is that nobody can modify more than one element of an array in a document. I'll see if I can express that in Firestore rules. Thanks! – Eight Rice Oct 21 '21 at 11:03